eventmachine-le 1.1.3 → 1.1.4.beta.2

data/.travis.yaml

@@ -0,0 +1,7 @@
+language: ruby
+rvm:
+  - 1.8.7
+  - 1.9.3
+
+before_install:
+  - sudo apt-get install libssl-dev

data/Gemfile

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+gemspec
+
+group :test do
+  gem "rake", "~> 0.9.2"
+end
+

data/README.md

@@ -59,6 +59,7 @@ the following features/fixes have been applied in EventMachine-LE:
 * `EM::Protocols::SmtpServer`: support multiple messages per one connection and login auth type ([bogdan](https://github.com/eventmachine/eventmachine/pull/288)).
 * Reimplement `EM::Queue` to avoid shift/push performance problem ([grddev](https://github.com/eventmachine/eventmachine/pull/311)).
 * Many code cleanups.
+* New `EM::Connection` option for the `start_tls()` method: `:use_tls` (when true TLS version is used, SSL otherwise).
 
 
 ## Installation ##

data/ext/cmain.cpp

@@ -453,12 +453,12 @@ extern "C" void evma_start_tls (const unsigned long binding)
 evma_set_tls_parms
 ******************/
 
-extern "C" void evma_set_tls_parms (const unsigned long binding, const char *privatekey_filename, const char *certchain_filename, int verify_peer, int use_tls)
+extern "C" void evma_set_tls_parms (const unsigned long binding, const char *privatekey_filename, const char *certchain_filename, int verify_peer, int ssl_version, const char *cipherlist)
 {
 	ensure_eventmachine("evma_set_tls_parms");
 	EventableDescriptor *ed = dynamic_cast <EventableDescriptor*> (Bindable_t::GetObject (binding));
 	if (ed)
-		ed->SetTlsParms (privatekey_filename, certchain_filename, (verify_peer == 1 ? true : false), (use_tls == 1 ? true : false));
+		ed->SetTlsParms (privatekey_filename, certchain_filename, (verify_peer == 1 ? true : false), ssl_version, cipherlist);
 }
 
 /******************

data/ext/ed.cpp

@@ -384,7 +384,7 @@ ConnectionDescriptor::ConnectionDescriptor (int sd, EventMachine_t *em):
 	SslBox (NULL),
 	bHandshakeSignaled (false),
 	bSslVerifyPeer (false),
-	bSslUseTls (false),
+	bSslVersion (0),
 	bSslPeerAccepted(false),
 	#endif
 	#ifdef HAVE_KQUEUE
@@ -1136,7 +1136,7 @@ void ConnectionDescriptor::StartTls()
 	if (SslBox)
 		throw std::runtime_error ("SSL/TLS already running on connection");
 
-	SslBox = new SslBox_t (bIsServer, PrivateKeyFilename, CertChainFilename, bSslVerifyPeer, bSslUseTls, GetBinding());
+	SslBox = new SslBox_t (bIsServer, PrivateKeyFilename, CertChainFilename, bSslVerifyPeer, bSslVersion, CipherList, GetBinding());
 	_DispatchCiphertext();
 	#endif
 
@@ -1150,7 +1150,7 @@ void ConnectionDescriptor::StartTls()
 ConnectionDescriptor::SetTlsParms
 *********************************/
 
-void ConnectionDescriptor::SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, bool use_tls)
+void ConnectionDescriptor::SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, int ssl_version, const char *cipherlist)
 {
 	#ifdef WITH_SSL
 	if (SslBox)
@@ -1160,7 +1160,9 @@ void ConnectionDescriptor::SetTlsParms (const char *privkey_filename, const char
 	if (certchain_filename && *certchain_filename)
 		CertChainFilename = certchain_filename;
 	bSslVerifyPeer = verify_peer;
-        bSslUseTls = use_tls;
+        bSslVersion = ssl_version;
+        if (cipherlist && *cipherlist)
+          CipherList = cipherlist;
 	#endif
 
 	#ifdef WITHOUT_SSL

data/ext/ed.h

@@ -70,7 +70,7 @@ class EventableDescriptor: public Bindable_t
 		virtual bool GetSubprocessPid (pid_t*) {return false;}
 
 		virtual void StartTls() {}
-		virtual void SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, bool use_tls) {}
+		virtual void SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, int ssl_version, const char *cipherlist) {}
 
 		#ifdef WITH_SSL
 		virtual X509 *GetPeerCert() {return NULL;}
@@ -195,7 +195,7 @@ class ConnectionDescriptor: public EventableDescriptor
 		virtual int GetOutboundDataSize() {return OutboundDataSize;}
 
 		virtual void StartTls();
-		virtual void SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, bool use_tls);
+		virtual void SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer, int ssl_version, const char *cipherlist);
 
 		#ifdef WITH_SSL
 		virtual X509 *GetPeerCert();
@@ -241,7 +241,8 @@ class ConnectionDescriptor: public EventableDescriptor
 		std::string PrivateKeyFilename;
 		bool bHandshakeSignaled;
 		bool bSslVerifyPeer;
-                bool bSslUseTls;
+                int bSslVersion;
+                std::string CipherList;
 		bool bSslPeerAccepted;
 		#endif
 

data/ext/eventmachine.h

@@ -69,7 +69,7 @@ extern "C" {
 	const unsigned long evma_create_unix_domain_server (const char *filename);
 	const unsigned long evma_open_datagram_socket (const char *server, int port);
 	const unsigned long evma_open_keyboard();
-	void evma_set_tls_parms (const unsigned long binding, const char *privatekey_filename, const char *certchain_filenane, int verify_peer, int use_tls);
+	void evma_set_tls_parms (const unsigned long binding, const char *privatekey_filename, const char *certchain_filenane, int verify_peer, int ssl_version, const char *cipherlist);
 	void evma_start_tls (const unsigned long binding);
 
 	#ifdef WITH_SSL

data/ext/extconf.rb

@@ -40,7 +40,8 @@ def manual_ssl_config
 end
 
 if ENV['CROSS_COMPILING']
-  openssl_dir = File.expand_path("~/.rake-compiler/builds/openssl-1.0.0a/")
+  openssl_version = ENV.fetch("OPENSSL_VERSION", "1.0.0j")
+  openssl_dir = File.expand_path("~/.rake-compiler/builds/openssl-#{openssl_version}/")
   if File.exists?(openssl_dir)
     FileUtils.mkdir_p Dir.pwd+"/openssl/"
     FileUtils.cp Dir[openssl_dir+"/include/openssl/*.h"], Dir.pwd+"/openssl/", :verbose => true
@@ -163,4 +164,4 @@ add_define 'HAVE_MAKE_PAIR' if try_link(<<SRC, '-lstdc++')
 SRC
 TRY_LINK.sub!('$(CXX)', '$(CC)')
 
-create_makefile "rubyeventmachine"
+create_makefile "rubyeventmachine"

data/ext/rubymain.cpp

@@ -307,14 +307,14 @@ static VALUE t_start_tls (VALUE self, VALUE signature)
 t_set_tls_parms
 ***************/
 
-static VALUE t_set_tls_parms (VALUE self, VALUE signature, VALUE privkeyfile, VALUE certchainfile, VALUE verify_peer, VALUE use_tls)
+static VALUE t_set_tls_parms (VALUE self, VALUE signature, VALUE privkeyfile, VALUE certchainfile, VALUE verify_peer, VALUE ssl_version, VALUE cipherlist)
 {
 	/* set_tls_parms takes a series of positional arguments for specifying such things
 	 * as private keys and certificate chains.
 	 * It's expected that the parameter list will grow as we add more supported features.
 	 * ALL of these parameters are optional, and can be specified as empty or NULL strings.
 	 */
-	evma_set_tls_parms (NUM2ULONG (signature), StringValuePtr (privkeyfile), StringValuePtr (certchainfile), (verify_peer == Qtrue ? 1 : 0), (use_tls == Qtrue ? 1 : 0));
+	evma_set_tls_parms (NUM2ULONG(signature), StringValuePtr(privkeyfile), StringValuePtr(certchainfile), (verify_peer == Qtrue ? 1 : 0), FIX2INT(ssl_version), StringValuePtr(cipherlist));
 	return Qnil;
 }
 
@@ -1216,7 +1216,7 @@ extern "C" void Init_rubyeventmachine()
 	rb_define_module_function (EmModule, "start_tcp_server", (VALUE(*)(...))t_start_server, 2);
 	rb_define_module_function (EmModule, "stop_tcp_server", (VALUE(*)(...))t_stop_server, 1);
 	rb_define_module_function (EmModule, "start_unix_server", (VALUE(*)(...))t_start_unix_server, 1);
-	rb_define_module_function (EmModule, "set_tls_parms", (VALUE(*)(...))t_set_tls_parms, 5);
+	rb_define_module_function (EmModule, "set_tls_parms", (VALUE(*)(...))t_set_tls_parms, 6);
 	rb_define_module_function (EmModule, "start_tls", (VALUE(*)(...))t_start_tls, 1);
 	rb_define_module_function (EmModule, "get_peer_cert", (VALUE(*)(...))t_get_peer_cert, 1);
 	rb_define_module_function (EmModule, "send_data", (VALUE(*)(...))t_send_data, 3);

data/ext/ssl.cpp

@@ -120,7 +120,7 @@ static void InitializeDefaultCredentials()
 SslContext_t::SslContext_t
 **************************/
 
-SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool use_tls):
+SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, int ssl_version, const string &cipherlist):
 	pCtx (NULL),
 	PrivateKey (NULL),
 	Certificate (NULL)
@@ -145,10 +145,21 @@ SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const str
 	}
 
 	bIsServer = is_server;
-        if (use_tls)
-          pCtx = SSL_CTX_new (is_server ? TLSv1_server_method() : TLSv1_client_method());
-        else
-          pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
+
+        switch(ssl_version) {
+          /* SSLv23 */
+          case 0:
+            pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
+            break;
+          /* SSLv3 */
+          case 1:
+            pCtx = SSL_CTX_new (is_server ? SSLv3_server_method() : SSLv3_client_method());
+            break;
+          /* TLSv1 */
+          case 2:
+            pCtx = SSL_CTX_new (is_server ? TLSv1_server_method() : TLSv1_client_method());
+            break;
+        };
 
 	if (!pCtx)
 		throw std::runtime_error ("no SSL context");
@@ -177,7 +188,10 @@ SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const str
 		assert (e > 0);
 	}
 
-	SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
+        if (cipherlist.length() > 0)
+          SSL_CTX_set_cipher_list (pCtx, cipherlist.c_str());
+        else
+          SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
 
 	if (is_server) {
 		SSL_CTX_sess_set_cache_size (pCtx, 128);
@@ -220,11 +234,11 @@ SslContext_t::~SslContext_t()
 SslBox_t::SslBox_t
 ******************/
 
-SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, bool use_tls, const unsigned long binding):
+SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, int ssl_version, const string &cipherlist, const unsigned long binding):
 	bIsServer (is_server),
 	bHandshakeCompleted (false),
 	bVerifyPeer (verify_peer),
-	bUseTls (use_tls),
+	bSslVersion (ssl_version),
 	pSSL (NULL),
 	pbioRead (NULL),
 	pbioWrite (NULL)
@@ -233,7 +247,7 @@ SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &cer
 	 * a new one every time we come here.
 	 */
 
-	Context = new SslContext_t (bIsServer, privkeyfile, certchainfile, use_tls);
+	Context = new SslContext_t (bIsServer, privkeyfile, certchainfile, ssl_version, cipherlist);
 	assert (Context);
 
 	pbioRead = BIO_new (BIO_s_mem());

data/ext/ssl.h

@@ -33,7 +33,7 @@ class SslContext_t
 class SslContext_t
 {
 	public:
-		SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool use_tls);
+		SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, int ssl_version, const string &cipherlist);
 		virtual ~SslContext_t();
 
 	private:
@@ -57,7 +57,7 @@ class SslBox_t
 class SslBox_t
 {
 	public:
-		SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, bool use_tls, const unsigned long binding);
+		SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, int ssl_version, const string &cipherlist, const unsigned long binding);
 		virtual ~SslBox_t();
 
 		int PutPlaintext (const char*, int);
@@ -78,7 +78,7 @@ class SslBox_t
 		bool bIsServer;
 		bool bHandshakeCompleted;
 		bool bVerifyPeer;
-                bool bUseTls;
+                int bSslVersion;
 		SSL *pSSL;
 		BIO *pbioRead;
 		BIO *pbioWrite;

data/lib/em/connection.rb

@@ -393,7 +393,9 @@ module EventMachine
     #                                               If true, the {#ssl_verify_peer} callback on the {EventMachine::Connection} object is called with each certificate
     #                                               in the certificate chain provided by the peer. See documentation on {#ssl_verify_peer} for how to use this.
     #
-    # @option args [Boolean] :use_tls (false)       indicates whether TLS or SSL must be offered to the peer. If true TLS is used, SSL otherwise.
+    # @option args [Symbol] :ssl_version (:SSLv23)   indicates the version of SSL to use. Valid values are :SSLv23, :SSLv3 and TLSv1.  Default value is :SSLv23.
+    #
+    # @option args [String] :cipher_list ("ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH")   indicates the available SSL cipher values. Default value is "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH". Check the format of the OpenSSL cipher string at http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT.
     #
     # @example Using TLS with EventMachine
     #
@@ -419,7 +421,7 @@ module EventMachine
     #
     # @see #ssl_verify_peer
     def start_tls args={}
-      priv_key, cert_chain, verify_peer, use_tls = args.values_at(:private_key_file, :cert_chain_file, :verify_peer, :use_tls)
+      priv_key, cert_chain, verify_peer, ssl_version, cipher_list = args.values_at(:private_key_file, :cert_chain_file, :verify_peer, :ssl_version, :cipher_list)
 
       [priv_key, cert_chain].each do |file|
         next if file.nil? or file.empty?
@@ -427,7 +429,18 @@ module EventMachine
         "Could not find #{file} for start_tls" unless File.exists? file
       end
 
-      EventMachine::set_tls_parms(@signature, priv_key || '', cert_chain || '', verify_peer, (use_tls ? true : false))
+      # Backward compatibility with version 1.1.3:
+      ssl_version = :TLSv1  if args[:use_tls] and not ssl_version
+
+      ssl_version = case ssl_version
+        when nil     ; 0
+        when :SSLv23 ; 0
+        when :SSLv3  ; 1
+        when :TLSv1  ; 2
+        else         ; raise "invalid value #{ssl_version.inspect} for :ssl_version"
+      end
+
+      EventMachine::set_tls_parms(@signature, priv_key || '', cert_chain || '', verify_peer, ssl_version, cipher_list || '')
       EventMachine::start_tls @signature
     end
 

data/lib/em/protocols/smtpclient.rb

@@ -271,7 +271,7 @@ module EventMachine
               psw = psw.call
             end
             #str = Base64::encode64("\0#{@args[:auth][:username]}\0#{psw}").chomp
-            str = ["\0#{@args[:auth][:username]}\0#{psw}"].pack("m").chomp
+            str = ["\0#{@args[:auth][:username]}\0#{psw}"].pack("m").gsub(/\n/, '')
             send_data "AUTH PLAIN #{str}\r\n"
             @responder = :receive_auth_response
           else

data/lib/em/protocols/smtpserver.rb

@@ -564,7 +564,7 @@ module EventMachine
           @state -= [:data, :mail_from, :rcpt]
         else
           # slice off leading . if any
-          ln.slice!(0...1) if ln[0] == 46
+          ln.slice!(0...1) if ln[0] && ln[0].ord == 46
           @databuffer << ln
           if @databuffer.length > @@parms[:chunksize]
             receive_data_chunk @databuffer

data/lib/em/version.rb

@@ -1,3 +1,3 @@
 module EventMachine
-  VERSION = "1.1.3"
+  VERSION = "1.1.4.beta.2"
 end

data/tests/test_ssl_cipher_list.rb

@@ -0,0 +1,62 @@
+require 'em_test_helper'
+
+class TestSSLCipherList < Test::Unit::TestCase
+
+  module ServerHandler
+
+    def post_init
+      start_tls({:cipher_list => $server_cipher_list})
+    end
+
+    def ssl_handshake_completed
+      $server_called_back = true
+    end
+
+  end
+
+  module ClientHandler
+
+    def post_init
+      start_tls({:cipher_list => $client_cipher_list})
+    end
+
+    def ssl_handshake_completed
+      $client_called_back = true
+      EM.stop_event_loop
+    end
+
+  end
+
+  def test_ssl_compatible_cipher_list
+    $server_called_back, $client_called_back = false, false
+
+    $server_cipher_list = "ALL"
+    $client_cipher_list = "DES-CBC3-SHA"
+
+    EM.run {
+      EM.start_server("127.0.0.1", 9999, ServerHandler)
+      EM.connect("127.0.0.1", 9999, ClientHandler)
+      EM.add_timer(0.5) { EM.stop }
+    }
+
+    assert($server_called_back, "server ssl handshake NOT completed in 0.5 seconds")
+    assert($client_called_back, "client ssl handshake NOT completed in 0.5 seconds")
+  end
+
+  def test_ssl_non_compatible_cipher_list
+    $server_called_back, $client_called_back = false, false
+
+    $server_cipher_list = ""  # Use EM default cipher which does not include "DES-CBC3-SHA"
+    $client_cipher_list = "DES-CBC3-SHA"
+
+    EM.run {
+      EM.start_server("127.0.0.1", 19999, ServerHandler)
+      EM.connect("127.0.0.1", 19999, ClientHandler)
+      EM.add_timer(0.5) { EM.stop }
+    }
+
+    assert_equal(false, $server_called_back)
+    assert_equal(false, $client_called_back)
+  end
+
+end if EM.ssl?

metadata

@@ -1,8 +1,8 @@
 --- !ruby/object:Gem::Specification
 name: eventmachine-le
 version: !ruby/object:Gem::Version
-  version: 1.1.3
-  prerelease: 
+  version: 1.1.4.beta.2
+  prerelease: 6
 platform: ruby
 authors:
 - Francis Cianfrocca
@@ -11,11 +11,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-08-28 00:00:00.000000000 Z
+date: 2012-10-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake-compiler
-  requirement: &17526700 !ruby/object:Gem::Requirement
+  requirement: &15942320 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -23,10 +23,10 @@ dependencies:
         version: 0.7.9
   type: :development
   prerelease: false
-  version_requirements: *17526700
+  version_requirements: *15942320
 - !ruby/object:Gem::Dependency
   name: yard
-  requirement: &17526220 !ruby/object:Gem::Requirement
+  requirement: &15931040 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -34,10 +34,10 @@ dependencies:
         version: 0.7.2
   type: :development
   prerelease: false
-  version_requirements: *17526220
+  version_requirements: *15931040
 - !ruby/object:Gem::Dependency
   name: bluecloth
-  requirement: &17525820 !ruby/object:Gem::Requirement
+  requirement: &15929420 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -45,7 +45,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *17525820
+  version_requirements: *15929420
 description: ! 'EventMachine-LE (Live Edition) is a branch of EventMachine (https://github.com/eventmachine/eventmachine).
 
 
@@ -89,8 +89,10 @@ extensions:
 extra_rdoc_files:
 - README.md
 - .gitignore
+- .travis.yaml
 - .yardopts
 - GNU
+- Gemfile
 - LICENSE
 - Rakefile
 - eventmachine-le.gemspec
@@ -208,6 +210,7 @@ extra_rdoc_files:
 - tests/test_smtpserver.rb
 - tests/test_spawn.rb
 - tests/test_ssl_args.rb
+- tests/test_ssl_cipher_list.rb
 - tests/test_ssl_methods.rb
 - tests/test_ssl_verify.rb
 - tests/test_threaded_resource.rb
@@ -218,8 +221,10 @@ extra_rdoc_files:
 - tests/test_unbind_reason.rb
 files:
 - .gitignore
+- .travis.yaml
 - .yardopts
 - GNU
+- Gemfile
 - LICENSE
 - README.md
 - Rakefile
@@ -338,6 +343,7 @@ files:
 - tests/test_smtpserver.rb
 - tests/test_spawn.rb
 - tests/test_ssl_args.rb
+- tests/test_ssl_cipher_list.rb
 - tests/test_ssl_methods.rb
 - tests/test_ssl_verify.rb
 - tests/test_threaded_resource.rb
@@ -367,9 +373,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>='
+  - - ! '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.11